Big data and the joint application of EU competition and data protection law: An overview of EU and national case law
Big data, namely the aggregation and analysis of data extrapolated from different sources throughout the digital market, has attracted a great deal of attention in recent years by triggering various legal questions within and outside the EU.
Given the evident data protection issues arising from the improper collection of user data (see for example Schrems; Google Spain), some legal theorists, data protection and competition authorities started questioning whether such kind of data collection, extended to large-scale, would even create the preconditions for a breach of competition rules.
The competition concerns that may arise from big data are still mainly based on speculations, especially considering the lack of a significant case-law in such matters. However, in antitrust circles the idea that big data might eventually represent a source of market power and distortion of competition appears to be mostly accepted even by competition authorities.
Such interlinked enforcement of competition and data protection law may lead to a remarkable evolution of competition policy enforcement in IT markets. It is thus worth examining how the European Commission and the national competition authorities (NCAs) have addressed this kind of issue within their case-law.
2. The interplay between EU competition and data protection law
The main question concerning the interplay between EU competition and data protection law is whether data protection issues could be included within the analytical framework employed by competition authorities.
Former competition commissioner Almunia in 2012, in his speech Competition and personal data protection addressed the issue for the first time by stating: «a single dominant company could of course think to infringe privacy laws to gain an advantage over its competitors» (p. 3). However, he did not propose an interlinked application of competition and data protection rules, preferring to outweigh competition risks through regulation. «When unfair or manipulative commercial practices become pervasive in a market to the detriment of consumers and users the matter is best resolved with regulation»(p. 3).
The European Data Protection Supervisor (EDPS), following Almunia’s words, in March 2014, published a Preliminary Opinion on Privacy and competitiveness in the age of big data, suggesting competition, data protection and consumer protection authorities to join their forces. It stated: «Greater convergence in the application of these policies could help meet the challenges posed by the big data economy» (p. 6). According to EDPS’s view, those set of rules all converge around a two-fold purpose, namely the protection and promotion of individuals’ welfare. Furthermore, after recognizing the possible threat posed by Big Data over all the mentioned law areas, the EDPS identified privacy policies as a feasible competitive advantage, assuming that companies would (and should) have started to compete on protecting privacy (p. 33).
The French and German competition authorities in their joint studyCompetition Law and Data(Joint Study), in addition to having identified certain competition issues stemming from big data, such as barriers to entry and foreclosure effects, recognized a fair degree of overlap between data protection and competition law: «Decisions taken by an undertaking regarding the collection and use of personal data can have, in parallel, implications on economic and competition dimensions. Therefore, privacy policies could be considered from a competition standpoint whenever these policies are liable to affect competition, notably when they are implemented by a dominant undertaking for which data serves as a main input of its products or services»(p. 23). Moreover, from a systemic point of view, they recalled the Allianz Hungária judgment, where the European Court of Justice held that a specific set of national rules (Hungarian insurance law) could be taken into account to assess an EU competition law infringement (para. 46-47).
Part of the legal theorists clearly support the interaction between the two areas of law (e.g. M. K. Ohlhausen, A. P. Okuliar; P. Swire;F. Costa-Cabral, O. Lynskey). By assuming that data use policies might constitute a competitive non-price parameter, they argued that industry collusion or exploitative reduction of privacy quality by a dominant undertaking at a level which leads to an infringement of data protection law, would result respectively in a breach of art. 101 or art. 102 of the TFEU (Costa-Cabral, Lynskey, pp. 18-24). In particular, the breach of privacy policies hence of data protection rules, would translate into foreclosure effects, hence into competition infringements, through an increased accumulation of data. The Bundeskartellamt, as indicated below (§ 4), has recently taken a similar standpoint.
3. Data protection concerns within the EU merger control assessment
The Commission came across big data-related legal issues for the first time by assessing the Google/DoubleClick merger in 2008. On that occasion it had both: analyzed the foreclosure effects deriving from the combination of the Google and DoubleClick customer datasets, with negative results; and expressed itself over another central matter, namely the appraisal of data protection issues, again with negative results. Indeed, in this respect the Commission denied the possibility to carry out a competition assessment covering data protection issues: «this decision is without prejudice to the obligations imposed onto the parties by Community legislation in relation to […] the protection of privacy with regard to the processing of personal data» (para. 97). Actually, such a statement implicitly recalled the position adopted by the European Court of Justice in Asnef/Equifax, where a similar problem was at stake although not particularly in the big data field: «any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection» (para. 63).
In its recent decision Microsoft/LinkedIn, the Commission appears to have made a U-turn regarding the modus operandi described above. Besides assessing, among other things, competition concerns arising from the concentration of parties’ user data, again with negative results, the Authority addressed privacy related concerns as well. However, departing from its previous decisions, the Commission stated within its press release the following: «privacy related concerns as such do not fall within the scope of EU competition law butcan be taken into account in the competition assessment to the extent that consumers see it as a significant factor of quality, and the merging parties compete with each other on this factor». And furthermore: «In this instance […] data privacy was an important parameter of competition between professional social networks on the market, which could have been negatively affected by the transaction».
It is important not to misinterpret the words of the Commission. The latter does not state that data protection concerns might be solved through competition tools and vice versa. Neither has it recognized the possibility to envisage distortions of competition consisting in consumer data accumulation by way of data protection infringements, as suggested in the Joint Study and by legal theorists (§ 2). Instead, the Commission has merely confirmed that privacy policies might constitute a competitive non-price parameter for online platforms. Hence, a concentration among two digital platforms may lead to less competition within the market on those grounds if the «merging parties compete with each other on this factor» and accordingly to less choice for consumers.
Indeed, within the decision’s full text, the Commission affirmed, with reference to the merger’s impact on consumer choice, that «the foreclosure effects would lead to the marginalisation of an existing competitor which offers a greater degree of privacy protection to users than LinkedIn» (para. 76). Therefore, the inclusion of privacy policies within Commission’s competitive assessment serves to evaluate another quality element affecting consumers’ choice. The Commission, conversely, does not appear keen on going well beyond the boundaries of its prospective analysis, by involving possible unlawful accumulations of users’ data stemming from lower quality of those policies. In this respect, it mentions in the decision at issue (para. 16), and in the more recent decision Verizon/Yahoo(para. 34), the suitability of actual and upcoming data protection legislations, i.e. the new General Data Protection Regulation , to contrast such practices at their root cause .
4. Data protection concerns in the NCAs’ enforcement activity
Member States’ competition Authorities went further. In March 2016 the Bundeskartellamt has initiated proceeding against Facebook on suspicion of having abused its market power by infringing data protection rules. Specifically, the German competition authority argued that Facebook’s “Terms and Conditions” could represent an abusive imposition of unfair conditions on users: «It is difficult for users to understand and assess the scope of the agreement accepted by them». In that case, the exploitative abuse presumably consists in a breach of data protection rules leading to a competitive advantage in terms of more consumer data. In particular, Facebook would abuse its indisputable dominant position within the social networks market by exploiting the information asymmetry between the company and its new users. As affirmed by the President of the Bundeskartellamt: «for advertising-financed internet services such as Facebook, user data are hugely important. For this reason it is essential to also examine under the aspect of abuse of market power whether the consumers are sufficiently informed about the type and extent of data collected».
The Italian competition authority (AGCM) similarly raised its voice against WhatsApp.On 11 May 2017, it closed two investigations, opened in October 2016, imposing a fine of € 3 million on the parent company Facebook for certain WhatsApp’s conducts in breach of the Consumer Code.
The first and main proceeding concerns the unfair commercial practice implemented by WhatsApp. The latter right after the merger with Facebook (§ 3) misleadingly imposed new “Terms and Conditions” allowing the sharing of personal data with the social media giant. In particular, WhatsApp forced its users to believe that if they had not accepted the new “Terms and Conditions” involving the sharing of data with Facebook, they could not have continued using the messaging service.The Commission has recently taken steps against Facebook on this point but on different grounds. On 18th April 2017, it fined Facebook € 110 million for providing misleading information during the investigation related to Facebook’s planned acquisition of WhatsApp. In fact, at the time, Facebook had denied the possibility to match its users’ accounts with WhatsApp users’ accounts, hence the data sharing. The incorrect information did not affect the already determined merger clearance.
With specific regard to the first proceeding and to the issues under consideration, WhatsApp has acknowledged the employment of the data exchanged with Facebook for advertising purposes, therefore for the typical final usage of big data analytics. Yet the competition aspects have not been mentioned within the AGCM’s decision. It has, nonetheless, addressed the interplay with data protection rules by pointing out that: «as a matter of principle, the fact that a party’s conduct is covered by the Privacy Code does not release that party from being compliant with the rules on unfair commercial practices»; and that the conduct at issue is not covered by the Privacy Code, integrating conversely «an unfair commercial practice […] falling, exclusively, under the competence of the AGCM» (p. 13).
The proceedings initiated against Facebook and WhatsApp rotate around similar circumstances. In both cases, the presumed unlawful conducts concerns an imposition of excessively burdensome “Terms and Conditions”. However, while the AGCM decided (or had) to operate within the boundaries of the powers conferred on it as regards unfair commercial practices, the Bundeskartellamt, in consistency with the German hard-line approach over digital platforms, took a rough road, qualifying the conduct as an exploitative abuse of dominance. Moreover, given the specific circumstances, the Bundeskartellamt is currently collaborating with the German data protection officers. Such borderline and hybrid action, in face of the abovementioned Commission’s position, brings with it many critics and doubts, but also cautious expectations for a more holistic and far-reaching antitrust enforcement.
The Commission and the NCAs seem to share the same view regarding possible distortions of competition flowing from the accumulation of personal data by digital giants, specifically in terms of abusing their dominant position. However, this is not the case when it comes to the interlinked application of competition and data protection rules.
The Commission recognizes, in specific cases, privacy policies as an important parameter of competition among digital platforms, though it apparently prefers to keep the two areas of law separated. As affirmed in Microsoft/LikendIn and Verizon/Yahoo, data protection concerns shall be only addressed by data protection legislation. The latter draws a red line preventing at source unlawful accumulation of consumers’ data and accordingly eventual competition infringements. Consequently, competition concerns, as put forward initially by Almunia, could be to a large extent offset through data protection regulation.
On the contrary, NCAs opened new scenarios. The Bundeskartellamt demonstrated that in fact there might be certain room for an interplay between the two law areas in antitrust enforcement. The AGCM, on the other hand, consolidated its recent trend, the convergence of competition and consumer protection enforcement. Through the WhatsApp case, it provided a slick alternative to those NCAs willing to hinder big data abuses related to commercial practices without trespassing into the data protection field.
It is possible to conclude that, for now, data protection legislation represents the most efficient and better tailored tool to contrast such practices, even though we can expect further exceptional developments within NCAs’ areas of action, especially through the employment of consumer protection legislation.